Lack of desktop configuration standards hurting cybersecurity

By Jason Miller

May 21, 2004

The Office of Management and Budget and other federal agencies are falling short on meeting the most critical provision of the Federal Information Security Management Act, a security expert and Hill staff member said.

Bob Dix, staff director for the House Government Reform Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census, said OMB has not adequately provided guidance that requires agencies to have minimum security configuration controls for employees' PCs and notebooks'a key provision in FISMA.

Rep. Adam Putnam (R-Fla.), chairman of the subcommittee, by early June will send a letter to OMB administrator for IT and e-government Karen Evans asking her office to place a greater emphasis on this issue to agency CIOs and chief security officers.

'This should be a part of the business case reviews so agencies do not purchase systems that don't have security baked in,' Dix said yesterday at a discussion on FISMA in Washington sponsored by the Center for Democracy and Technology, a Washington nonprofit. 'We've had discussion with OMB and they agree it needs to be highlighted.'

Alan Paller, director of research for the SANS Institute of Bethesda, Md., said this provision matters the most of any in FISMA. OMB and the National Institute of Standards and Technology have ignored it too long, he said.

'It takes technical people to do it and it takes nontechnical people to do the other provisions,' he said. 'It is the only defense the government has against employees installing unprotected systems into their network.'

Stuart Katzke, a senior research scientist at NIST, refuted Paller's claims and said his agency is working on such guidance.

Paller advocates for the Homeland Security Department to set up a testing lab to show agencies it can be done. He said private-sector firms, such as Merrill Lynch & Co. Inc. of New York, set up a system where employees' notebooks and PCs are automatically scanned to see if they meet the predetermined standards. If not, they are not allowed onto the network.

'The federal government must raise the bar with minimum configuration standards,' Paller said. 'It could lead and industry would follow along.'

Even with this problem, Dix and Paller said agency security is improving.

Dix said 75 percent of the agency's CIOs and deputy secretaries have met with his staff to discuss how they can improve their cybersecurity scores and to inform the subcommittee about what they are doing. The subcommittee releases an annual cybersecurity report card. In the last evaluation in December, eight agencies received failing grades.

'The fact that OMB withheld development and modernization funds is evidence this is more than lip service,' Dix said. 'It seems CIOs are receiving more support from the top than ever before, and that is making a difference.'

Paller added that FISMA is not a failure, but agencies need to make it more of a priority.